User Ignorance
Mending the gaping security hole in your network
by Bret A. Fausett
May
2002
If you're responsible for maintaining the security of your company's
data, what you're about to learn should scare you senseless. Go ahead,
try this with me.
Start by finding a late-generation Gnutella application like LimeWire or BearShare.
As you know, these applications make your computer a node in a peer-to-peer
(P2P) file-sharing network with other users who are running similar applications.
So now that you've opened your Gnutella application, here's what I want you
to do. In the Search menu, set the data type that you want to search for to
Document. This is one of several selections typically available among Programs,
Music, Video, Images, or the all-inclusive Any Type. Now, for your search query
use .doc, the standard file extension for Microsoft Word documents, and nothing
else. Press Search.
It won't take much time for a long list of Microsoft Word files available
for download to start showing up in your search results window. Don't
download any of them, just look at the titles. If your experience is anything
like mine, you'll see names that appear to describe legal memoranda,
employee evaluations, business plans, correspondence to clients and customers,
any number of the documents that companies create every day in the normal course
of business.
The Human Factor
Your first reaction may be amusement at how incredibly clueless some companies'
employees are to put their data up on a P2P network that's potentially
visible to the entire world. Your second reaction is probably to remember, in
horror, that you have some clueless employees working for you too.
How did this happen? The technical answer is the easy one.
